California Privacy Bill Goes Quietly Into the Night

A measure that would have prevented personal data from being sold doesn't even go up for a vote.

Unless you've taken measures to prevent it, financial institutions are passing around your Social Security number, financial records and personal information like old photos at a family reunion.

The information you've given banks, insurance companies and other financial institutions quietly fuels the modern financial services industry, where credit scores determine creditworthiness and customers are corralled into databases.

"At issue here is who really has control of your personal information," says Tena Friery, research director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy site. "Once your bank sells your personal information to a third-party marketer or a telemarketer, that bank has lost all control over it, and it can be passed from one source to another."

The issue is so hot that California and other states have begun considering legislation to increase privacy protection for consumers. This week, in a pitched battle, California lawmakers nearly passed a landmark consumer-privacy bill from state Sen. Jackie Speier that would have created privacy standards that exceed federal law.

But California Assembly Speaker Herb Wesson never put the measure up to a vote, which killed its chances of passage for a second straight year.

Of course, just because the bill is gone, that doesn't mean measures to increase privacy protection will be forgotten. If anything, California's failed attempt was the tip of the legislative iceberg -- something that could spell trouble for financial services firms down the road.

Last year, Vermont became the first state to pass tougher regulations that supercede federal law. In June, North Dakota voters approved a similar measure by a 3 to 1 margin. And a group of Californians led by E-Loan ( EELN) CEO Chris Larsen, called Californians for Privacy Now, are prepared to put the issue to the test in a March 2004 referendum.

"We've set up the committee and I've personally funded it with a million dollars," says Larsen. "Privacy is an issue and will continue to be one. We believe that technology has moved ahead of legal protections and that is why this issue won't go away."

What's the Big Deal, Anyway?

Not only do financial institutions make millions of dollars by selling your personal information, they stand to make millions more by tailoring marketing pitches based on what they've found out about you from others. Credit-card mailings, promotional emails about mortgage products and telemarketer phone calls are the public symptoms of this widespread phenomenon.

It's more than an annoyance. As the flow of information has increased, so have the number of identity theft complaints. Last year, the Federal Trade Commission estimated that 750,000 people were victims of identity theft, a figure they expect to double by 2005.

The problem with federal regulation, according to many consumer groups, is that it doesn't provide strong privacy protections for consumers, something the California bill, called SB773, was attempting to remedy.

Under current federal law, established in 1999's Gramm-Leach-Bliley Act, consumers must inform financial institutions if they don't want their personal information shared with third-party affiliates. Starting in July 2001, financial institutions became required to inform customers once a year of their information-sharing policies and provide customers with the ability to opt out of third-party information sharing.

But even if customers opt out, some financial information can still be shared. Within a financial services juggernaut like Citigroup ( C), there is no way to prevent the company's credit-card unit from passing your financial information over to the salespeople in the mortgage department. And when banks create joint-marketing agreements among themselves, it's impossible to opt out under federal law.

"The California bill (SB773) would require financial institutions to get permission before selling or sharing your information with third-party affiliates," Friery says. "You'd 'opt in' to share information, which is the total opposite of federal policy. And when it comes to joint marketing and sharing with affiliates (within the corporation), you'd have the ability to opt out."

Under the proposed California law and ones passed in Vermont and North Dakota, consumers would gain greater control over their personal financial information, which supporters say will cut down on unwanted solicitations and curb some forms of identity theft.

The Cost of Privacy

But privacy comes with a price tag. When Vermont passed its law financial services companies incurred few costs, because they simply automatically opted out the relatively small number of Vermont customers they had. But if an economically powerful state with a massive bloc of voters, like California, passes tougher regulations, it would create a de facto national standard.

With the death of California's bill, the financial services industry dodged a bullet. Had it passed, companies would have spent millions to comply with new state regulations, just two years after the financial services industry spent millions to comply with Gramm-Leach-Bliley. Furthermore, companies would have lost revenue generated from their ability to sell and trade customer information at will.

"In California, they'd incur the cost of sending separate notices to customers. And in a back-office sense, financial companies in California will have to significantly retool the systems to accept, track and manage customer preferences," says Michael Beresik, national director of privacy issues at PricewaterhouseCoopers. "Changing these systems to accommodate those requests is not easy or inexpensive."

It would have also created a regulatory nightmare, because the boundary-free Internet would have been regulated on the local level.

"This could create a crazy quilt of legislation where the state with the harshest penalties sets policy for the whole country," says Christopher Wolf, a partner in Proskauer Rose, a law firm specializing in intellectual property. "I'm all in favor of privacy, but I don't think it should be legislated at the state and local level. If I'm an Internet merchant in Washington, I don't want to be subject to California's laws."